RSA Thoughts

My time at RSA 2011 is done. After dozens of conversations with security experts and listening to a number of speakers, I noticed a few recurring themes in the overall approach to security.

In no particular order:

It was almost impossible to have a conversation that didn't include the cloud. Cloud security still seems to be a vague idea (and anyone who wants to provide me with some solid cloud security efforts, I'd be happy to hear them), but there was a lot of conversation on different types of clouds -- private, public and hybrid.

Perceptions and Realities of Cloud Security

A new survey suggests that access policies could use a little work.

Security tends to be reactive rather than proactive. It's always been that way, and there is uncertainty on how to refine that approach.

The way security solutions are set up today, end users are tasked with the bulk of the responsibility of keeping their machines and networks clean. I didn't talk to anyone who thought this current system was fair, yet end users have to accept some responsibility. Which leads to . . .

Education is sorely lacking. At least two people said to me, we can't expect an afternoon security review once every couple of years to provide the type of training employees need to be smart computer users in today's world.

Mobile devices are going to continue to be a security challenge for a while. One of the major issues is the blurred line between professional and personal. How much control can a company have over an employee's personal smartphone, for example, even though the employee uses that phone to check work e-mail and conduct business.